File system object verse System.IO namespace

[md_huhn]

In my ASP application I created a function that created a unique password that was automatically generated for the customer. Here was my code:

Public Function GetNewPassword() As String

Dim fs
Dim intPos
Dim strChar
Dim strPassword

fs = CreateObject("Scripting.FileSystemObject")

strPassword = fs.GetBaseName(fs.GetTempName)
strPassword = Right(strPassword, Len(strPassword) - 3)
intPos = Weekday(Now())
If intPos <> 5 Then
intPos = intPos Mod 5
End If
strChar = Mid(strPassword, intPos, 1)
If IsNumeric(strPassword) Then
strChar = int(strChar)
strPassword = Chr(65 + strChar) & strPassword & Chr(90 - strChar)
Else
strPassword = strPassword & Asc(strChar)
End If

fs = Nothing

GetNewPassword = strPassword

End Function


I know that I can't use the FileSystem object in ASP.Net, but cannot find an equivelent to "GetBaseName" and "GetTempName" in the System.IO. Does anyone have a suggestion as to how I can create a unique password at runtime? Or what namespace I should be using for GetBaseName?

Thanks!

[nemaroller]

Why not simply generate a string of 8 random characters, instead of using getTempName ?

Instantiating the FSO class, with all its overhead, just to produce 8 random characters is grossly inefficient.

[md_huhn]

Thanks. But how do I generate a string with 8 random characters?

[nemaroller]

VB Code:

Dim newPassWord As String = Guid.NewGuid.ToString.Substring(0, 8)

easy enough? I wouldn't bother putting in a function either, unless you will call that code from different parts of your app...

Also, there's always a chance for duplicates... I ran a few tests, and with only 8 characters, I got a duplicate at the 56,323rd request once, but you could get a duplicate on the 2nd iteration, its statistically improbable (~1% for 2000 passwords), but it could happen. So, you can decrease the odds of duplicates by generating 10 character passwords. In all, its rather a mute point because passwords are associated with usernames which are generally unique. Now you have astonomical odds of having the same username and password combo. And even at that, if you have 1000 users and two of them have the same password, how would user #234 ever guess he had the same password as user#816? And you don't allow two people to have the same username, so you really have a unique username/password combo.

36^8 (8 character passwords):
2,821,109,907,456 (or about 3 trillion unique passwords)
36^10(10 character passwords):
3,656,158,440,062,976 ( or about 3,656 trillion unique passwords)